From 1b5be5904d3871264fc9b28852170f3e6a1bf513 Mon Sep 17 00:00:00 2001
From: Aaron Schulz <aschulz@wikimedia.org>
Date: Thu, 24 Aug 2017 16:54:19 -0700
Subject: [PATCH] Add sslCAFile option to DatabaseMysqli

This makes all arguments to the mysqli::set_ssl() call be controllable.

Change-Id: I67ed742add633a77e97d08b812e420a73cd83a52
---
 includes/libs/rdbms/database/DatabaseMysqlBase.php | 7 +++++--
 includes/libs/rdbms/database/DatabaseMysqli.php    | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/includes/libs/rdbms/database/DatabaseMysqlBase.php b/includes/libs/rdbms/database/DatabaseMysqlBase.php
index 692ddb70b8..3c4cda5552 100644
--- a/includes/libs/rdbms/database/DatabaseMysqlBase.php
+++ b/includes/libs/rdbms/database/DatabaseMysqlBase.php
@@ -51,6 +51,8 @@ abstract class DatabaseMysqlBase extends Database {
 	/** @var string|null */
 	protected $sslCertPath;
 	/** @var string|null */
+	protected $sslCAFile;
+	/** @var string|null */
 	protected $sslCAPath;
 	/** @var string[]|null */
 	protected $sslCiphers;
@@ -75,7 +77,8 @@ abstract class DatabaseMysqlBase extends Database {
 	 *   - useGTIDs : use GTID methods like MASTER_GTID_WAIT() when possible.
 	 *   - sslKeyPath : path to key file [default: null]
 	 *   - sslCertPath : path to certificate file [default: null]
-	 *   - sslCAPath : parth to certificate authority PEM files [default: null]
+	 *   - sslCAFile: path to a single certificate authority PEM file [default: null]
+	 *   - sslCAPath : parth to certificate authority PEM directory [default: null]
 	 *   - sslCiphers : array list of allowable ciphers [default: null]
 	 * @param array $params
 	 */
@@ -87,7 +90,7 @@ abstract class DatabaseMysqlBase extends Database {
 			? $params['lagDetectionOptions']
 			: [];
 		$this->useGTIDs = !empty( $params['useGTIDs' ] );
-		foreach ( [ 'KeyPath', 'CertPath', 'CAPath', 'Ciphers' ] as $name ) {
+		foreach ( [ 'KeyPath', 'CertPath', 'CAFile', 'CAPath', 'Ciphers' ] as $name ) {
 			$var = "ssl{$name}";
 			if ( isset( $params[$var] ) ) {
 				$this->$var = $params[$var];
diff --git a/includes/libs/rdbms/database/DatabaseMysqli.php b/includes/libs/rdbms/database/DatabaseMysqli.php
index 4d1b87b1f9..b925e2c653 100644
--- a/includes/libs/rdbms/database/DatabaseMysqli.php
+++ b/includes/libs/rdbms/database/DatabaseMysqli.php
@@ -91,7 +91,7 @@ class DatabaseMysqli extends DatabaseMysqlBase {
 			$mysqli->ssl_set(
 				$this->sslKeyPath,
 				$this->sslCertPath,
-				null,
+				$this->sslCAFile,
 				$this->sslCAPath,
 				$this->sslCiphers
 			);
-- 
2.20.1